[Openswan Users] Problem with ipsec connection

Paul Wouters paul at xelerance.com
Mon Jul 6 11:27:10 EDT 2009


On Mon, 6 Jul 2009, CrashOverload at gmx.de wrote:

> I got a problem to establish a IPSEC NAT-T connection from OpenSwan to a Nortel Gateway. From the Remote Admin I got encryption settings to set in my config. I´m Using OpenSwan 2.6.22 and CentOS 5.2
>
> But the connection is always pending in ike phase 2.

That does not seem to be true:

> ipsec.conf:
>
>        authby=secret
>        auto=add
>        ike=3des-sha1-modp1024
>        esp=3des-sha1
>        forceencaps=no
>        left=192.168.25.77
>        leftid=192.168.25.77
>        leftsubnet=192.168.25.77/32
>        pfs=yes
>        right=12.13.14.15
>        rightid=12.13.14.15
>        rightsubnet=192.168.66.77/32
>        type=tunnel
>
>
>
> Output from /var/log/messages:
> ipsec__plutorun: 003 NAT-Traversal: Trying new style NAT-T
> ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
> ipsec__plutorun: 003 NAT-Traversal: Trying old style NAT-T

That message needs some improvement, as it does not confirm that this is
working or not. Did you patch the kernel with NAT-T patch when using KLIPS,
or are you using NETKEY (you cut off lots of logs) ?
The new style nat-t cannot work on the 2.6.18 based rhel/centos kernel.

> Output from /var/log/secure:
> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x3ca25267 <0xf9dc8a26 xfrm=3DES_0 -HMAC_SHA1 NATOA=none NATD=none DPD=none}

This shows phase 2 completed, however, it appears to have done so without
NAT. You should see something like

STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0xa5637a98 <0x1eeed27a xfrm=3DES_0 -HMAC_SHA1 NATOA=none NATD=1.2.3.4:4500 DPD=none}

Try forceencaps=yes ? And make sure you have nat_traversal=yes in your
"config setup". (we should really change the default of that to yes if the
option is not explicitely set to no)

Paul


More information about the Users mailing list